On 8/27/19, Tony Finch <d...@dotat.at> wrote:
> Lee <ler...@gmail.com> wrote:
>> Can someone please explain why using this as my rpz zone does NOT
>> block everything for *.2o7.net?
>> 2o7.net CNAME .
>> *.2o7.net CNAME .
>> bcbsks.com.102.112.2o7.net CNAME .
> I suspect this is RPZ obeying the weird semantics of DNS wildcard
> matching. The * only matches if the answer would otherwise be NXDOMAIN
> (the name does not exist). The weirdness happens when there are subdomains
> that exist, because any parent names are NODATA (the name exists but has
> no records of the query type) which suppresses wildcard matching.
> So the third CNAME causes com.102.112.2o7.net and 102.112.2o7.net and
> 112.2o7.net to exist, so any names under those domains do not match the
> wildcard. In your example appleglobal.112.2o7.net is under 112.2o7.net so
> it doesn't match.
> For the long explanation see
> https://tools.ietf.org/html/rfc4592 - The Role of Wildcards in the Domain
> Name System
> https://tools.ietf.org/html/rfc8020 - NXDOMAIN: There Really Is Nothing
> Underneath

Thank you!

I posted a similar question on the dns firewall list
hopefully the rfcs you listed will help me understand the 'empty
non-terminals' thing

Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list

Reply via email to